Recap of Last Lesson: Learned about file permissions and running executables.
Find the password to the next level
- There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20).
- If the password is correct, it will transmit the password for the next level (bandit21).NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
So by reading our gathered intel we’ve determined that we have a binary in the home directory that connects to a port, let’s run it without any arguments and see if it has any more info.
It appears to say pretty much what our intel did, that we have to connect to a port, send the current level password to it, and then it will send the password to the next level back. So now the problem is finding a way for us to listen to a port without setting up an entire service that we don’t need. If you remember a few lessons ago we talked about nc and it’s many uses. One of them is being able to go create a simple connection to pass data between two hosts on a port.
Where -l is the option for listening mode and 1025 being the first port outside of the well known 1024. Now lets see what happens when we connect to that port with another session, please note that the sessions have to be running simultaneously of this to work.
As we the text in under one of our prompts we see that it appears on the other one. This means that our ports can hear each other. So let’s set one up and try and connect with the binary file that has been created for us.
We entered the level to the current password under the listening port to send it to the binary file, and it sent us back a password! It looks like we’ve got it!
We learned how to setup nc to listen to ports and how to establish simple data transfer using it.